Jose
2d9aa39339
Some checks failed
ansible-lint / Ansible Lint (push) Successful in 12s
Gitleaks Scan / gitleaks (push) Successful in 5s
Markdown Lint / markdown-lint (push) Successful in 5s
ai-reviews / Review PR (pull_request) Successful in 26s
PR check / Gitleaks (pull_request) Failing after 4s
PR check / lint tests (pull_request) Successful in 13s
PR check / handle_failures (pull_request) Successful in 1s
PR check / handle_success (pull_request) Has been skipped
This commit increases the maximum redaction length for sensitive data in our codebase and updates the gitleaks configuration to exclude README.md files from scans. This ensures that we maintain a higher standard of security while avoiding false positives.
169 lines
5.4 KiB
YAML
169 lines
5.4 KiB
YAML
---
|
|
# https://github.com/kekxv/pr-check
|
|
name: PR check
|
|
|
|
on:
|
|
pull_request:
|
|
types: [opened, synchronize]
|
|
|
|
jobs:
|
|
leak_test:
|
|
name: Gitleaks
|
|
runs-on: ubuntu-latest
|
|
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@v6
|
|
with:
|
|
github-server-url: ${{ vars.GIT_SERVER_URL }}
|
|
|
|
- name: Install Gitleaks
|
|
run: |
|
|
curl -sSL https://github.com/gitleaks/gitleaks/releases/download/v8.30.0/gitleaks_8.30.0_linux_x64.tar.gz \
|
|
| tar -xz
|
|
sudo mv gitleaks /usr/local/bin/
|
|
|
|
- name: Run Gitleaks
|
|
run: |
|
|
gitleaks dir . \
|
|
--config .gitleaks.toml \
|
|
--redact=50 \
|
|
--verbose \
|
|
--exit-code 1
|
|
--exclude-files "README.md"
|
|
|
|
lint_test:
|
|
name: lint tests
|
|
runs-on: ubuntu-latest
|
|
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@v6
|
|
with:
|
|
github-server-url: ${{ vars.GIT_SERVER_URL }}
|
|
|
|
- name: Install Node.js
|
|
uses: actions/setup-node@v4
|
|
with:
|
|
node-version: 20
|
|
|
|
- name: Run markdownlint
|
|
run: npx markdownlint-cli2 "**/*.md" "#node_modules"
|
|
|
|
- name: Set up Python
|
|
uses: actions/setup-python@v5
|
|
with:
|
|
python-version: "3.14"
|
|
|
|
- name: Install ansible-lint and yamllint
|
|
run: |
|
|
python -m pip install --upgrade pip
|
|
pip install ansible ansible-lint yamllint
|
|
|
|
- name: Run yamllint
|
|
run: |
|
|
yamllint .
|
|
|
|
- name: Run ansible-lint
|
|
run: |
|
|
ansible-lint
|
|
|
|
handle_failures:
|
|
runs-on: ubuntu-latest
|
|
needs: [leak_test, lint_test]
|
|
if: "${{ always() && (
|
|
needs.leak_test.result != 'success' ||
|
|
needs.lint_test.result != 'success' ) }}"
|
|
|
|
steps:
|
|
- name: Comment, label, and close PR
|
|
run: |
|
|
API="${{ vars.GIT_SERVER_URL }}/api/v1/repos/${{ github.repository }}"
|
|
PR="${{ github.event.pull_request.number }}"
|
|
TOKEN="${{ secrets.GITEA_TOKEN }}"
|
|
|
|
COMMENT_BODY="❌ CI checks failed.\n\nLeak: ${{ needs.leak_test.result }}\nLint: ${{ needs.lint_test.result }}"
|
|
|
|
# Find existing comment
|
|
EXISTING_COMMENT_ID=$(curl -s -H "Authorization: token $TOKEN" \
|
|
"$API/issues/$PR/comments" \
|
|
| jq -r '.[] | select(.body | test("<!--ci-failed-comment-->")) | .id')
|
|
|
|
# Update or create comment
|
|
if [ -n "$EXISTING_COMMENT_ID" ]; then
|
|
curl -s -X PATCH \
|
|
-H "Authorization: token $TOKEN" \
|
|
-H "Content-Type: application/json" \
|
|
-d "{\"body\":\"<!--ci-failed-comment-->\n$COMMENT_BODY\"}" \
|
|
"$API/issues/$PR/comments/$EXISTING_COMMENT_ID"
|
|
else
|
|
curl -s -X POST \
|
|
-H "Authorization: token $TOKEN" \
|
|
-H "Content-Type: application/json" \
|
|
-d "{\"body\":\"<!--ci-failed-comment-->\n$COMMENT_BODY\"}" \
|
|
"$API/issues/$PR/comments"
|
|
fi
|
|
|
|
# Add label if missing
|
|
LABELS=$(curl -s -H "Authorization: token $TOKEN" "$API/issues/$PR/labels" | jq -r '.[] | .name')
|
|
if ! echo "$LABELS" | grep -q "^ci-failed$"; then
|
|
curl -s -X POST \
|
|
-H "Authorization: token $TOKEN" \
|
|
-H "Content-Type: application/json" \
|
|
-d '["ci-failed"]' \
|
|
"$API/issues/$PR/labels"
|
|
fi
|
|
|
|
# Close PR
|
|
curl -s -X PATCH \
|
|
-H "Authorization: token $TOKEN" \
|
|
-H "Content-Type: application/json" \
|
|
-d '{"state":"closed"}' \
|
|
"$API/pulls/$PR"
|
|
|
|
handle_success:
|
|
runs-on: ubuntu-latest
|
|
needs: [leak_test, lint_test]
|
|
if: needs.leak_test.result == 'success' && needs.lint_test.result == 'success'
|
|
|
|
steps:
|
|
- name: Update comment, remove label, reopen PR
|
|
run: |
|
|
API="${{ vars.GIT_SERVER_URL }}/api/v1/repos/${{ github.repository }}"
|
|
PR="${{ github.event.pull_request.number }}"
|
|
TOKEN="${{ secrets.GITEA_TOKEN }}"
|
|
|
|
COMMENT_BODY="✅ CI checks pass.\n\nLeaks: ${{ needs.leak_test.result }}\nLint: ${{ needs.lint_test.result }}"
|
|
|
|
# Find existing comment
|
|
EXISTING_COMMENT_ID=$(curl -s -H "Authorization: token $TOKEN" \
|
|
"$API/issues/$PR/comments" \
|
|
| jq -r '.[] | select(.body | test("<!--ci-failed-comment-->")) | .id')
|
|
|
|
# Update comment if exists
|
|
if [ -n "$EXISTING_COMMENT_ID" ]; then
|
|
curl -s -X PATCH \
|
|
-H "Authorization: token $TOKEN" \
|
|
-H "Content-Type: application/json" \
|
|
-d "{\"body\":\"<!--ci-failed-comment-->\n$COMMENT_BODY\"}" \
|
|
"$API/issues/$PR/comments/$EXISTING_COMMENT_ID"
|
|
fi
|
|
|
|
# Remove label if exists
|
|
LABELS=$(curl -s -H "Authorization: token $TOKEN" "$API/issues/$PR/labels" | jq -r '.[] | .name')
|
|
if echo "$LABELS" | grep -q "^ci-failed$"; then
|
|
curl -s -X DELETE \
|
|
-H "Authorization: token $TOKEN" \
|
|
"$API/issues/$PR/labels/ci-failed"
|
|
fi
|
|
|
|
# Reopen PR if closed
|
|
PR_STATE=$(curl -s -H "Authorization: token $TOKEN" "$API/pulls/$PR" | jq -r '.state')
|
|
if [ "$PR_STATE" = "closed" ]; then
|
|
curl -s -X PATCH \
|
|
-H "Authorization: token $TOKEN" \
|
|
-H "Content-Type: application/json" \
|
|
-d '{"state":"open"}' \
|
|
"$API/pulls/$PR"
|
|
fi
|